[123450] in North American Network Operators' Group
Re: PPP+RADIUS - routing subnets to end users - Framed-Route vs.
daemon@ATHENA.MIT.EDU (George Carey)
Mon Mar 8 18:33:46 2010
From: George Carey <george@montco.net>
In-Reply-To: <E00B9EBD1532EF4EABA3C51B190BA615048DF7239F0D@klsapp1.klssys.com>
Date: Mon, 8 Mar 2010 18:33:32 -0500
To: Erik L <erik_list@caneris.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-1--126279729
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
We've always considered the WAN and LAN to be different objects so our =
history is to prefer the method you think is 'better.' Seems this model =
has been around since the dialin days.
We also have customers with multiple routes so it seems a logical =
separation. Failover might be a bit more flexible too since you can =
control some parameters of the Framed Route.
I know some people use RFC1918 addresses for WAN which might be a factor =
(we do not).
Perhaps in some network strategies the lines between WAN and LAN may be =
a bit more blurred than ours.
George
On Mar 8, 2010, at 6:10 PM, Erik L wrote:
> Scenario: with the help of RADIUS, routing subnets to end users =
connecting via PPP.
>=20
> Discussion: pros/cons of using Framed-IP-Address+Framed-Route versus =
Framed-IP-Address+Framed-IP-Netmask.
>=20
> We're talking here in generic terms, so as far as the behaviour of the =
LNS or access concentrator or whatever else is receiving the =
Access-Accept and terminating the ppp session, we're assuming more or =
less sane behaviour, roughly as follows. In the first alternative, the =
IP address on the ppp link is outside the subnet indicated by =
Framed-Route and one or more subnets are routed via the link; one such =
subnet per Framed-Route attrib. In the second alternative, the one =
subnet routed is that which contains the Framed-IP-Address and is as =
large as the Framed-IP-Netmask indicates.=20
>=20
> I'm arguing to a colleague that the first alternative is "better", =
non-/32 netmasks on a ppp link make no sense (since netmasks on =
point-to-point links don't matter anyway), that the second alternative =
doesn't allow users to make use of their allocated space as easily and =
effectively as the first alternative, and that the second alternative is =
limited to routing one subnet (though you might be able to mix =
Framed-IP-Netmask and Framed-Route together?).=20
>=20
> Comments? How are others doing it and why?
>=20
> Erik
>=20
--Apple-Mail-1--126279729
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGIzCCAtww
ggJFoAMCAQICED7oElc6Jt6gLDmZrf3rLyQwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDcyMTA1MTQ1MloXDTEwMDcyMTA1MTQ1
MlowQzEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRZ2Vv
cmdlQG1vbnRjby5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1lHiZJMceGZVk
uTMRjSzi6EXRQsfxX2Pn3qrabOSvAgws0+RnFTU5kdwV2mgoGvV2IqYxOBLkAOEIfbQSoooBivFJ
R5nmG9HqGVRYfuuMEgW6ujibcE1QyY2Q9xMM8GB50JYiM/8MWWQUs7uEvaVSpCxXt0WN5crhgyRz
iSLpr2p9RkskLEYgb3HIgqZJ1xSpGjHIHq2aJcIOCdFns4W4CuKRhBw51PTW3bMbd/ZNGupR4elK
6BBh+fmYjvuWs1Ae82a43NRwx/XOFdbo5NvLhm+Cz380XxNR33mWneDkVDhV7g3YKZ2+mXCaelAL
AyZHUn+7n42mI2kbY8lDKHHFAgMBAAGjLjAsMBwGA1UdEQQVMBOBEWdlb3JnZUBtb250Y28ubmV0
MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEANR5kAoJ721B4z9MScnNtV/MlxHmNA7We
JlIOWa5yTVjhLczZ/lw0bB1d82bi/5AYP/hNj0IEz4zxgxOjbl11YQJ42QYNivj+ENiIkFSu4QF9
3fYgpxg+lS9dCb69ZWnyP6L7NAPcJ5UYNalOSFxEBzGd5CUf1jHxZsoJvb83rwQwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYD
VQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVz
VftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Va
qj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20Txh
BEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNV
HQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG
SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCT
cDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo0
5RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDEDCCAwwCAQEwdjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECED7oElc6Jt6gLDmZrf3rLyQwCQYFKw4DAhoFAKCC
AW8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTAwMzA4MjMzMzMz
WjAjBgkqhkiG9w0BCQQxFgQUP83B0pT8XPAGcJeaaCOuKf+Bis0wgYUGCSsGAQQBgjcQBDF4MHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhA+6BJXOibeoCw5ma39
6y8kMIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJ
c3N1aW5nIENBAhA+6BJXOibeoCw5ma396y8kMA0GCSqGSIb3DQEBAQUABIIBAAdpSdnZRWe4RFD1
NAUsprTQxcyJ9ArkJOmZ22/br/WlgbQlc1hItYIfvRJVIX8Dsq5fCVISALg7hRUD/DxHjdTrwPFb
EvlRMBF/CzkAzPalAFue3kFxirUNTT9Zu4a24Ngc/f7boF5SfvTIfwZgJdDX1bfnoSIDIhtEiZ5O
0YDxalJpKvXcErlIaWu3KHWXjQuAtpKpO0j5BYCvOq/K2RnC2z7SNU6H0EPbKdBVvZOp2lWeXzxY
+LOG6e8AwzGMYO8l9NHhgTu4E7g8m4nYXgyGeBC3DZRMeHpCDRl71sO/fQqM+mW3OOUyf9dbwpJZ
FVvLyV2trM1l7W+Y5ESXjAQAAAAAAAA=
--Apple-Mail-1--126279729--
